Domain validation for TLS certificates

Last updated July 17, 2017

When you purchase our shared certificate or shared wildcard certificate TLS options, our partner Certificate Authority (GlobalSign) must verify you control the domains requested and that you authorize us to request a certificate service on your behalf. You can choose:

DNS text record verification (preferred)

URL verification

Email verification

Regardless of the verification method you use, be sure to follow our instructions to begin the TLS ordering process.

DNS text record verification

We provide you with a unique DNS TXT record you need to add for the zone origin ("@"). The text of this entry will change depending on the certificate to which your domain is added. The meta tag will be formatted similar to one of the following (where the {METATAG} will change depending on the certificate):

@ IN TXT "globalsign-domain-verification={META TAG}"

@ IN TXT "_globalsign-domain-verification={META TAG}"

We will provide you with the appropriate text record listed above. Consult the documentation for your DNS server or hosted DNS provider for more information about how to add the record. This text record must be wholly separate from other text records. A prepended, inserted, or appended record will not work.

URL verification

We provide you with an HTML meta tag you need to add to a specifically named web page served at the requested domain or apex domain you're adding. Use the format http:<REQUESTED APEX OR SUBDOMAIN>/.well-known/pki-validation/gsdv.txt where <REQUESTED APEX OR SUBDOMAIN> is the domain being added to the certificate. The meta tag will be formatted similar to one of the following (where the {METATAG} text will change depending on the certificate):

<meta name="globalsign-domain-verification" content="{META TAG}" />

<meta name="_globalsign-domain-verification" content="{META TAG}" />

We will provide you with the appropriate meta tag listed above. This text must be served from the actual requested domain or root domain. For example, if you add the domain www.example.com to the certificate, GlobalSign will specifically query http://www.example.com or http://example.com during the verification process. The verification tag must be served from whatever resource is returned from that URL. GlobalSign will not follow redirects or request a file on that domain, such as http://www.example.com/verify.html or http://www.example.com/index.html.

Email verification

GlobalSign will give Fastly a list of acceptable email addresses to which they can send a validation email. Generally these email addresses match those that appear on the WHOIS record of the domain requested, plus the following:

admin@domain.com

administrator@domain.com

hostmaster@domain.com

postmaster@domain.com

webmaster@domain.com

For entries requested for a subdomain, each of those addresses @subdomain.domain.com will also work (e.g., admin@subdomain.domain.com).

We will send you the list of acceptable email address. You will need to tell us which email address to use. GlobalSign will then send a verification email to the email address you specify. Once you receive the verification email, you will need to click on a link in that email and follow the instructions to complete the validation.

Was this guide helpful?

Yes
No

Tell us what worked and what we could do better.

Do not use this form to send sensitive information. If you need assistance, contact support@fastly.com.